CentOS - Apr 2009 - Directory and File Perms

I have a directory shared out via Samba for Quickbooks and seem
to have some issues with permissions. The directory being shared
is a subdirectory in an ext3 partition being mounted with the acl
option.

It has been setup as follows:
     chown root:DOMAIN\AD_Group /mnt/Intuit_Data/
     chmod 2770 /mnt/Intuit_Data/

And the Samba share config is has:
     create mask = 0660
     directory mask = 0770

So when a user creates a file from their Windows box through Explorer
or any other app, it gets perms as you might expect:
     -rw-rw---- 1 Domain+jcasale DOMAIN+AD_Group       0 Apr 29 14:24 test.txt
and it can be deleted by anyone.

Problem is QB uses gamin and this file monitoring daemon runs as root
and all sorts of changes take place as you work with the data, from creating
the company file to editing it in QB, it ends up slowly changing to 0400?


Here is what I am seeing now:
User creates a new company file through QB (this is already fubar'ed):
# ll
-rw------- 1 Domain+jcasale DOMAIN+AD_Group 7647232 Apr 29 14:37 Company.QBW
-rw-r--r-- 1 root           DOMAIN+AD_Group     420 Apr 29 14:36 Company.QBW.ND
-rw-r--r-- 1 Domain+jcasale DOMAIN+AD_Group 1114112 Apr 29 14:36 Company.QBW.TLG
drwx------ 2 root           root              16384 Apr 24 09:34 lost+found
-rw-rw---- 1 root           DOMAIN+AD_Group     300 Apr 24 10:17 qbdir.dat

Now after working with the company in QB, this is what happens:
# ll
-rw------- 1 Domain+jcasale DOMAIN+AD_Group 7331840 Apr 29 14:37 Company.QBW
-rw-r--r-- 1 root           DOMAIN+AD_Group     420 Apr 29 14:37 Company.QBW.ND
-rw------- 1 Domain+jcasale DOMAIN+AD_Group 1245184 Apr 29 14:37 Company.QBW.TLG
drwx------ 2 root           root              16384 Apr 24 09:34 lost+found
-rw-rw---- 1 root           DOMAIN+AD_Group     300 Apr 24 10:17 qbdir.dat


What are my options to control this here? Edit init scripts for that daemon?
I don't know what would happen if it doesn't run as root, but maybe as a
user
that has GID of DOMAIN+AD_Group?

Thanks for any ideas!
jlc

On Wed, Apr 29, 2009, Joseph L. Casale wrote:
>I have a directory shared out via Samba for Quickbooks and seem
>to have some issues with permissions. The directory being shared
>is a subdirectory in an ext3 partition being mounted with the acl
>option.
>
>It has been setup as follows:
>     chown root:DOMAIN\AD_Group /mnt/Intuit_Data/
>     chmod 2770 /mnt/Intuit_Data/
>
>And the Samba share config is has:
>     create mask = 0660
>     directory mask = 0770
>
>So when a user creates a file from their Windows box through Explorer
>or any other app, it gets perms as you might expect:
>     -rw-rw---- 1 Domain+jcasale DOMAIN+AD_Group       0 Apr 29 14:24
test.txt
>and it can be deleted by anyone.
>
>Problem is QB uses gamin and this file monitoring daemon runs as root
>and all sorts of changes take place as you work with the data, from creating
>the company file to editing it in QB, it ends up slowly changing to 0400?
You probably want to look at the ``force user'' and/or ``force
group''
share settings in Samba (or look for a Real Accounting(tm) package in place
of QB :-).

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Freedom from prices is freedom from responsibility. You can simply pass
laws, using the magic wand of government to satisfy your own desires at
unspecified costs to be paid by others. -- Thomas Sowell Aug 2000

Joseph L. Casale wrote:
> I have a directory shared out via Samba for Quickbooks and seem
> to have some issues with permissions. The directory being shared
> is a subdirectory in an ext3 partition being mounted with the acl
> option.
> 
> It has been setup as follows:
>      chown root:DOMAIN\AD_Group /mnt/Intuit_Data/
>      chmod 2770 /mnt/Intuit_Data/
> 
> And the Samba share config is has:
>      create mask = 0660
>      directory mask = 0770
> 
> So when a user creates a file from their Windows box through Explorer
> or any other app, it gets perms as you might expect:
>      -rw-rw---- 1 Domain+jcasale DOMAIN+AD_Group       0 Apr 29 14:24
test.txt
> and it can be deleted by anyone.
> 
> Problem is QB uses gamin and this file monitoring daemon runs as root
> and all sorts of changes take place as you work with the data, from
creating
> the company file to editing it in QB, it ends up slowly changing to 0400?
> 
> 
> Here is what I am seeing now:
> User creates a new company file through QB (this is already fubar'ed):
> # ll
> -rw------- 1 Domain+jcasale DOMAIN+AD_Group 7647232 Apr 29 14:37
Company.QBW
> -rw-r--r-- 1 root           DOMAIN+AD_Group     420 Apr 29 14:36
Company.QBW.ND
> -rw-r--r-- 1 Domain+jcasale DOMAIN+AD_Group 1114112 Apr 29 14:36
Company.QBW.TLG
> drwx------ 2 root           root              16384 Apr 24 09:34 lost+found
> -rw-rw---- 1 root           DOMAIN+AD_Group     300 Apr 24 10:17 qbdir.dat
> 
> Now after working with the company in QB, this is what happens:
> # ll
> -rw------- 1 Domain+jcasale DOMAIN+AD_Group 7331840 Apr 29 14:37
Company.QBW
> -rw-r--r-- 1 root           DOMAIN+AD_Group     420 Apr 29 14:37
Company.QBW.ND
> -rw------- 1 Domain+jcasale DOMAIN+AD_Group 1245184 Apr 29 14:37
Company.QBW.TLG
> drwx------ 2 root           root              16384 Apr 24 09:34 lost+found
> -rw-rw---- 1 root           DOMAIN+AD_Group     300 Apr 24 10:17 qbdir.dat
> 
> 
> What are my options to control this here? Edit init scripts for that
daemon?
> I don't know what would happen if it doesn't run as root, but maybe
as a user
> that has GID of DOMAIN+AD_Group?
> 
I've handled these kind of complex samba rights problems by either using 
acls or if it's particularly thorny, an inotify script - needs 
inotify-tools-3.13-1.el5.rf.


-- 
tkb